iOS apps leak more user data than Android apps

An analysis of transactions originating from devices protected by Zscaler security products reveals that iOS applications leak private user information in more situations than Android apps.

The result of this study shows that the generally accepted theory of iOS being more secure than Android doesn't necessarily apply to the apps running on these two platforms.

According to data gathered in the last quarter, Zscaler says it detected around 200,000 transactions from a total of 45 million, where an app has leaked user data. The type of leaked information includes personally identifiable information (PII) (user mobile number and email addresses), geo-location data (latitude and longitude coordinates), and device metadata (IMEI, MAC, IMSI numbers, Network, OS, SIM card information, manufacturer).

"iOS apps leaked user data in over 130,000 operations"

The biggest offender were iOS apps. Zscaler says it tracked 26 million transactions originating from iOS devices and their apps, of which 0.5 percent leaked user data, for a total of 130,000 operations. The vast majority of the leaked data, 72.3 percent, was related to a user's device information.

Additionally, 27.5 percent of transactions leaked geo-location coordinates, while only 0.2 percent of the apps exposed PII data. 70 percent of all the transactions that leaked private user data were traced back to iOS devices in China, and 20 percent to devices in South Africa. The US, the UK, and the Republic of Ireland made up the rest of the top 5.

"Android apps exposed private user data in only 60,000 transactions"

When it came to Android apps, Zscaler says that from the 20 million transactions the company tracked, 0.3 percent leaked user data, or around 60,000 transactions. Of these, 58 percent leaked device metadata, 39.3 percent leaked geo-location coordinates, and 3 percent leaked sensitive PII data.

Most of the leaky Android devices were located in the US (55 percent), the UK (16 percent), and China (12 percent). The problem here is the potential for long-term threats. An attacker that taps into a company's traffic can gather large amounts of reconnaissance information over time, which he can later use in individually-targeted attacks such as spear-phishing, smishing, or denial of service (DoS).